[Bug 1233738] New: SELINUX prevents XRDP from working when in enforcing mode
https://bugzilla.suse.com/show_bug.cgi?id=1233738 Bug ID: 1233738 Summary: SELINUX prevents XRDP from working when in enforcing mode Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: jmscdba@gmail.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Hi Cathy, In my test TW system that is using selinux I found that xrdp is not working. When you attempt to RDP after entering your credentials a dialog is displayed which says the login is successful but then it says VNC error - problem connecting some problem Error conneting to user session If I run "setenforce 0" after booting then xrdp works fine. If I watch the journal when selinux is enforcing I find: xrdp-sesman[6092]: pam_unix(xrdp-sesman:session): session opened for user denise(uid=1001) by (uid=0) xrdp-sesman[6092]: pam_kwallet5(xrdp-sesman:session): pam_kwallet5: pam_sm_open_session xrdp-sesman[6149]: pam_kwallet5: final socket path: /run/user/1001/kwallet5.socket xrdp-sesman[6150]: pam_kwallet5: could not execute kwalletd from /usr/bin/kwalletd6 xrdp-sesman[6092]: pam_systemd(xrdp-sesman:session): New sd-bus connection (system-bus-pam-systemd-6092) opened. xrdp-sesman[6092]: pam_unix(xrdp-sesman:session): session closed for user denise xrdp-sesman[6092]: pam_kwallet5(xrdp-sesman:session): pam_kwallet5: pam_sm_close_session xrdp-sesman[6092]: pam_kwallet5(xrdp-sesman:setcred): pam_kwallet5: pam_sm_setcred systemd[1]: session-c7.scope: Deactivated successfully. ausearch shows these denied messages ausearch -ts boot | grep -i denied type=AVC msg=audit(1732232293.658:185): avc: denied { transition } for pid=2613 comm="xrdp-sesman" path="/usr/bin/kwalletd6" dev="sda2" ino=1779042 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 type=AVC msg=audit(1732232293.658:188): avc: denied { transition } for pid=2616 comm="xrdp-sesman" path="/usr/bin/bash" dev="sda2" ino=1719714 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 type=AVC msg=audit(1732232303.435:189): avc: denied { transition } for pid=2621 comm="xrdp-sesman" path="/usr/sbin/xrdp-chansrv" dev="sda2" ino=1455897 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 I'm still getting up to speed with selinux but it seems to me that xrdp tries to launch /usr/bin/xrdp-chansrv it is denied because there is no selinux policy to allow it, however, I thought when TARGETED mode was used then selinux would have allowed it ? Or does the package need to be updated to include a policy to allow xrdp so that it works in enforcing mode. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c1 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |jsegitz@suse.com --- Comment #1 from Johannes Segitz <jsegitz@suse.com> --- I'll have a look -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 Joe S <jmscdba@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jmscdba@gmail.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c2 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #2 from Johannes Segitz <jsegitz@suse.com> --- Please install give this policy a try: https://build.opensuse.org/package/show/home:jsegitz:branches:security:SELin... After installing please run: semanage boolean -m -1 unconfined_service_transition_to_confined_user If you still have issues aftwards please run chcon -t bin_t /etc/xrdp/startwm.sh chcon -t bin_t /etc/xrdp/reconnectwm.sh and try again. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c3 --- Comment #3 from Johannes Segitz <jsegitz@suse.com> --- Recent changes in security:SELinux broke the policy I build for you, I'll repair it -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c4 --- Comment #4 from Johannes Segitz <jsegitz@suse.com> --- https://build.opensuse.org/package/show/home:jsegitz:branches:security:SELin... will contain the fix (once it build) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c5 --- Comment #5 from Joe S <jmscdba@gmail.com> --- (In reply to Johannes Segitz from comment #4)
https://build.opensuse.org/package/show/home:jsegitz:branches:security: SELinux_bsc1233738_6/selinux-policy
will contain the fix (once it build)
Hi Johannes, Thanks for taking a look at this. Sorry for the delay, I have been sick in bed last few days. Here's the console log of trying to install the rpm --------------------------------------------------- zypper -v install /tmp/selinux-policy-20241118-308.1.noarch.rpm Verbosity: 2 Non-option program arguments: '/tmp/selinux-policy-20241118-308.1.noarch.rpm' '/tmp/selinux-policy-20241118-308.1.noarch.rpm' looks like an RPM file. Will try to download it. Initializing Target Checking whether to refresh metadata for google-chrome Retrieving: repomd.xml ...........................................................................................................................................................................................................................[done] Checking whether to refresh metadata for openSUSE-Tumbleweed-Non-Oss (20241119) Retrieving: repomd.xml ...............................................................................................................................................................................................................[done (1.1 KiB/s)] Checking whether to refresh metadata for Open H.264 Codec (openSUSE Tumbleweed) Retrieving: repomd.xml .................................................................................................................................................................................................................[done (242 B/s)] Checking whether to refresh metadata for openSUSE-Tumbleweed-Oss (20241119) Retrieving: repomd.xml ...............................................................................................................................................................................................................[done (1.1 KiB/s)] Checking whether to refresh metadata for openSUSE-Tumbleweed-Update Retrieving: repomd.xml ...............................................................................................................................................................................................................[done (1.1 KiB/s)] Checking whether to refresh metadata for Plain RPM files cache Loading repository data... Reading installed packages... Selecting 'selinux-policy-20241118-308.1.noarch' from repository 'Plain RPM files cache' for installation. Resolving package dependencies... Force resolution: No Problem: 1: the installed selinux-policy-targeted-20241105-1.1.noarch requires 'selinux-policy = 20241105-1.1', but this requirement cannot be provided Solution 1: Following actions will be done: deinstallation of selinux-policy-targeted-20241105-1.1.noarch deinstallation of patterns-base-selinux-20200505-59.1.x86_64 deinstallation of container-selinux-2.232.1-1.2.noarch Solution 2: do not install selinux-policy-20241118-308.1.noarch Solution 3: break selinux-policy-targeted-20241105-1.1.noarch by ignoring some of its dependencies Choose from above solutions by number or cancel [1/2/3/c/d/?] (c): 1 Applying solution 1 Resolving dependencies... Resolving package dependencies... Force resolution: No The following package is going to be upgraded: selinux-policy 20241105-1.1 -> 20241118-308.1 The following package is going to change vendor: selinux-policy 20241105-1.1 -> 20241118-308.1 openSUSE -> obs://build.opensuse.org/home:jsegitz The following 3 packages are going to be REMOVED: container-selinux 2.232.1-1.2 patterns-base-selinux 20200505-59.1 selinux-policy-targeted 20241105-1.1 The following pattern is going to be REMOVED: selinux 20200505-59.1 1 package to upgrade, 3 to remove, 1 to change vendor. Package download size: 82.1 KiB Package install size change: | 25.0 KiB required by packages that will be installed -24.8 MiB | - 24.8 MiB released by packages that will be removed Backend: classic_rpmtrans Continue? [y/n/v/...? shows all options] (y): y committing Retrieving: selinux-policy-20241118-308.1.noarch (Plain RPM files cache) (1/1), 82.1 KiB selinux-policy-20241118-308.1.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 3150ff4ecd0ba9c9: NOKEY Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK V3 RSA/SHA256 Signature, key ID 3150ff4ecd0ba9c9: NOKEY MD5 digest: OK warning: /var/tmp/zypp.ROeCQ1/zypper/_tmpRPMcache_/%CLI%/selinux-policy-20241118-308.1.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID cd0ba9c9: NOKEY Looking for gpg key ID CD0BA9C9 in cache /var/cache/zypp/pubkeys. Repository Plain RPM files cache does not define additional 'gpgkey=' URLs. selinux-policy-20241118-308.1.noarch (Plain RPM files cache): Signature verification failed [4-Signatures public key is not available] Abort, retry, ignore? [a/r/i] (a): i Checking for file conflicts: .....................................................................................................................................................................................................................[done] (1/4) Removing: container-selinux-2.232.1-1.2.noarch .............................................................................................................................................................................................[done] warning: /etc/selinux/targeted/contexts/customizable_types saved as /etc/selinux/targeted/contexts/customizable_types.rpmsave (2/4) Removing: selinux-policy-targeted-20241105-1.1.noarch ......................................................................................................................................................................................[done] warning: /var/cache/zypper/RPMS/selinux-policy-20241118-308.1.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID cd0ba9c9: NOKEY error: selabel_open: (/etc/selinux/targeted/contexts/files/file_contexts) No such file or directory error: Plugin selinux: hook tsm_pre failed (3/4) Installing: selinux-policy-20241118-308.1.noarch ..........................................................................................................................................................................................[error] Installation of selinux-policy-20241118-308.1.noarch failed: Error: Subprocess failed. Error: RPM failed: Command exited with status 1. Abort, retry, ignore? [a/r/i] (a): i error: selabel_open: (/etc/selinux/targeted/contexts/files/file_contexts) No such file or directory error: Plugin selinux: hook tsm_pre failed (4/4) Removing: patterns-base-selinux-20200505-59.1.x86_64 ......................................................................................................................................................................................[error] Removal of (59724)patterns-base-selinux-20200505-59.1.x86_64(@System) failed: Error: Subprocess failed. Error: RPM failed: Command exited with status 1. Abort, retry, ignore? [a/r/i] (a): i Running post-transaction scripts .................................................................................................................................................................................................................[done] CommitResult (total 4, done 4, error 0, skipped 0, updateMessages 0) Checking for running processes using deleted libraries... semanage boolean -m -1 unconfined_service_transition_to_confined_user --------------------------------------------------------------------- libsemanage.semanage_read_policydb: Could not open kernel policy /var/lib/selinux/targeted/active/policy.kern for reading. (No such file or directory). FileNotFoundError: No such file or directory reboot Obviously that resulted in an unbootable system with error: [!!!!!!] Failed to load SELinux policy During the install of the rpm you provided Option 1 was selected but I'm sure that the removal of the following packages is what breaks selinux during the boot. container-selinux 2.232.1-1.2 patterns-base-selinux 20200505-59.1 selinux-policy-targeted 20241105-1.1 I am new to selinux but I suspect that the expected result would have been to just install your package to replace the existing one. To recover I Edited the Grub boot item temporarily to set selinux=0 Rollback back the changes from a before snapshot I took rebooted NOTE: I am testing this in a KVM vm which was created from a copy of the qcow2 file that is used by a VM that I regularly use. After booting the KVM copy the first time, I installed selinux using the instructions Cathy provided and then removed apparmor. Prior to installing the test rpm, SELinux has not had any issues other than the xrdp issue we are discussing here. Please let me know if you need any other details. Thanks for your efforts. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c6 --- Comment #6 from Johannes Segitz <jsegitz@suse.com> --- thanks for testing. That is weird, I'll have a look. For me it works without issues -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c7 --- Comment #7 from Johannes Segitz <jsegitz@suse.com> --- okay once I formatted this in a way that is simple to read it's easy to figure out: Please add the full repository instead of just installing one rpm zypper ar -p 80 https://download.opensuse.org/repositories/home:/jsegitz:/branches:/security... zypper in --allow-vendor-change selinux-policy-targeted Then it should work -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c8 --- Comment #8 from Joe S <jmscdba@gmail.com> --- Created attachment 879009 --> https://bugzilla.suse.com/attachment.cgi?id=879009&action=edit Test results and summary -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c9 --- Comment #9 from Joe S <jmscdba@gmail.com> --- (In reply to Johannes Segitz from comment #7)
okay once I formatted this in a way that is simple to read it's easy to figure out: Please add the full repository instead of just installing one rpm
zypper ar -p 80 https://download.opensuse.org/repositories/home:/jsegitz:/branches:/security: /SELinux_1232328/openSUSE_Factory/home:jsegitz:branches:security: SELinux_1232328.repo zypper in --allow-vendor-change selinux-policy-targeted
Then it should work
Since you had trouble with the formatting last time I attached test.2.log with the results. Summary: Install had some failures with resolving roletype statement semanage got ValueError ( assuming because of first issue ) chcon commands worked journal has issue with starting kwalletd xrdp dialog says login successful BUT vnc cannot connect The attached test.2.log has everything done with the results -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c10 --- Comment #10 from Johannes Segitz <jsegitz@suse.com> --- semanage boolean -m -1 unconfined_service_transition_to_confined_user ValueError: Boolean unconfined_service_transition_to_confined_user is not defined that indicates that you're not having the policy installed that I provided (even though the logs look like they installed correctly). Please provide the output of zypper info selinux-policy-targeted -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(jmscdba@gmail.com | |) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c11 --- Comment #11 from Johannes Segitz <jsegitz@suse.com> --- Happy new year. Would be great if you could provide the requested information (please also include the output of semanage boolean -l) Thanks -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c12 --- Comment #12 from Joe S <jmscdba@gmail.com> --- (In reply to Johannes Segitz from comment #10)
semanage boolean -m -1 unconfined_service_transition_to_confined_user ValueError: Boolean unconfined_service_transition_to_confined_user is not defined
that indicates that you're not having the policy installed that I provided (even though the logs look like they installed correctly).
Happy New Year, sorry was away for the holidays and when I came back and had to deal with all the EOY tasks for my business. Where you able to view the test.2.log file that I attached because when I look at that log it does not appear to me that it installs correctly. Note the warning and failed messages from the zypper install command in the test.2.log: warning: /var/cache/zypp/packages/home_jsegitz_branches_security_SELinux_1232328/noarch/selinux-policy-20241129-308.4.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID cd0ba9c9: NOKEY Failed to resolve roletype statement at /var/lib/selinux/targeted/tmp/modules/400/cepces/cil:2 Failed to resolve AST /usr/sbin/semodule: Failed! (1/2) Installing: selinux-policy-20241129-308.4.noarch ...........................................................................................................................................................................................[done] warning: /var/cache/zypp/packages/home_jsegitz_branches_security_SELinux_1232328/noarch/selinux-policy-targeted-20241129-308.4.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID cd0ba9c9: NOKEY warning: /etc/selinux/targeted/contexts/customizable_types saved as /etc/selinux/targeted/contexts/customizable_types.rpmsave warning: file /var/lib/selinux/targeted/active/modules/100/openct: remove failed: No such file or directory (2/2) Installing: selinux-policy-targeted-20241129-308.4.noarch ..................................................................................................................................................................................[done] %posttrans(selinux-policy-targeted-20241129-308.4.noarch) script output:
Please provide the output of zypper info selinux-policy-targeted
Information for package selinux-policy-targeted: ------------------------------------------------ Repository : Branch project for package selinux-policy (openSUSE_Factory) Name : selinux-policy-targeted Version : 20241129-308.4 Arch : noarch Vendor : obs://build.opensuse.org/home:jsegitz Installed Size : 24.9 MiB Installed : Yes Status : up-to-date Source package : selinux-policy-20241129-308.4.src Upstream URL : https://github.com/fedora-selinux/selinux-policy.git Summary : SELinux targeted base policy Description : SELinux policy targeted base module. Could the TW build of this system is causing the issue ? This system is a clone of my production system which is running TW 20241119 which was pretty close to current when I reported the problem and when I installed on 11/22/2024 but it is now many builds behind. I didn't update the Production system in December because there were some issues in 20241119 which I was waiting for fixes to be released for and then when it got to close to the EOY I couldn't update because of EOY things that needed to be done. If you think that is why I am running into the issues with your fix, then I can retest as soon as I am able to update to a later build. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c13 --- Comment #13 from Joe S <jmscdba@gmail.com> --- (In reply to Johannes Segitz from comment #11)
Happy new year. Would be great if you could provide the requested information (please also include the output of semanage boolean -l)
Thanks
semanage boolean -l output: SELinux boolean State Default Description abrt_anon_write (off , off) Allow abrt to anon write abrt_handle_event (on , on) Allow abrt to handle event abrt_upload_watch_anon_write (on , on) Allow abrt to upload watch anon write antivirus_can_scan_system (off , off) Allow antivirus to can scan system antivirus_use_jit (off , off) Allow antivirus to use jit auditadm_exec_content (on , on) Allow auditadm to exec content authlogin_nsswitch_use_ldap (off , off) Allow authlogin to nsswitch use ldap authlogin_radius (off , off) Allow authlogin to radius authlogin_yubikey (off , off) Allow authlogin to yubikey awstats_purge_apache_log_files (off , off) Allow awstats to purge apache log files boinc_execmem (on , on) Allow boinc to execmem cdrecord_read_content (off , off) Allow cdrecord to read content cluster_can_network_connect (off , off) Allow cluster to can network connect cluster_manage_all_files (off , off) Allow cluster to manage all files cluster_use_execmem (off , off) Allow cluster to use execmem cobbler_anon_write (off , off) Allow cobbler to anon write cobbler_can_network_connect (off , off) Allow cobbler to can network connect cobbler_use_cifs (off , off) Allow cobbler to use cifs cobbler_use_nfs (off , off) Allow cobbler to use nfs collectd_tcp_network_connect (off , off) Allow collectd to tcp network connect colord_use_nfs (off , off) Allow colord to use nfs condor_tcp_network_connect (off , off) Allow condor to tcp network connect conman_can_network (off , off) Allow conman to can network conman_use_nfs (off , off) Allow conman to use nfs cron_can_relabel (off , off) Allow cron to can relabel cron_system_cronjob_use_shares (off , off) Allow cron to system cronjob use shares cron_userdomain_transition (on , on) Allow cron to userdomain transition cups_execmem (off , off) Allow cups to execmem cvs_read_shadow (off , off) Allow cvs to read shadow daemons_dontaudit_scheduling (on , on) Allow daemons to dontaudit scheduling daemons_dump_core (on , on) Allow daemons to dump core daemons_enable_cluster_mode (off , off) Allow daemons to enable cluster mode daemons_use_tcp_wrapper (off , off) Allow daemons to use tcp wrapper daemons_use_tty (off , off) Allow daemons to use tty dbadm_exec_content (on , on) Allow dbadm to exec content dbadm_manage_user_files (off , off) Allow dbadm to manage user files dbadm_read_user_files (off , off) Allow dbadm to read user files deny_bluetooth (off , off) Allow deny to bluetooth deny_execmem (off , off) Allow deny to execmem deny_ptrace (off , off) Allow deny to ptrace dhcpc_exec_iptables (off , off) Allow dhcpc to exec iptables dhcpd_use_ldap (off , off) Allow dhcpd to use ldap dnsmasq_use_ipset (off , off) Allow dnsmasq to use ipset domain_can_mmap_files (on , on) Allow domain to can mmap files domain_can_write_kmsg (off , off) Allow domain to can write kmsg domain_fd_use (on , on) Allow domain to fd use domain_kernel_load_modules (off , off) Allow domain to kernel load modules entropyd_use_audio (on , on) Allow entropyd to use audio exim_can_connect_db (off , off) Allow exim to can connect db exim_manage_user_files (off , off) Allow exim to manage user files exim_read_user_files (off , off) Allow exim to read user files fcron_crond (off , off) Allow fcron to crond fenced_can_network_connect (off , off) Allow fenced to can network connect fenced_can_ssh (off , off) Allow fenced to can ssh fips_mode (on , on) Allow fips to mode ftpd_anon_write (off , off) Allow ftpd to anon write ftpd_connect_all_unreserved (off , off) Allow ftpd to connect all unreserved ftpd_connect_db (off , off) Allow ftpd to connect db ftpd_full_access (off , off) Allow ftpd to full access ftpd_use_cifs (off , off) Allow ftpd to use cifs ftpd_use_fusefs (off , off) Allow ftpd to use fusefs ftpd_use_nfs (off , off) Allow ftpd to use nfs ftpd_use_passive_mode (off , off) Allow ftpd to use passive mode git_cgi_enable_homedirs (off , off) Allow git to cgi enable homedirs git_cgi_use_cifs (off , off) Allow git to cgi use cifs git_cgi_use_nfs (off , off) Allow git to cgi use nfs git_session_bind_all_unreserved_ports (off , off) Allow git to session bind all unreserved ports git_session_users (off , off) Allow git to session users git_system_enable_homedirs (off , off) Allow git to system enable homedirs git_system_use_cifs (off , off) Allow git to system use cifs git_system_use_nfs (off , off) Allow git to system use nfs gitosis_can_sendmail (off , off) Allow gitosis to can sendmail glance_api_can_network (off , off) Allow glance to api can network glance_use_execmem (off , off) Allow glance to use execmem glance_use_fusefs (off , off) Allow glance to use fusefs global_ssp (off , off) Allow global to ssp gluster_anon_write (off , off) Allow gluster to anon write gluster_export_all_ro (off , off) Allow gluster to export all ro gluster_export_all_rw (on , on) Allow gluster to export all rw gluster_use_execmem (off , off) Allow gluster to use execmem gpg_web_anon_write (off , off) Allow gpg to web anon write gssd_read_tmp (on , on) Allow gssd to read tmp guest_exec_content (off , off) Allow guest to exec content haproxy_connect_any (off , off) Allow haproxy to connect any httpd_anon_write (off , off) Allow httpd to anon write httpd_builtin_scripting (on , on) Allow httpd to builtin scripting httpd_can_check_spam (off , off) Allow httpd to can check spam httpd_can_connect_ftp (off , off) Allow httpd to can connect ftp httpd_can_connect_ldap (off , off) Allow httpd to can connect ldap httpd_can_connect_mythtv (off , off) Allow httpd to can connect mythtv httpd_can_connect_zabbix (off , off) Allow httpd to can connect zabbix httpd_can_manage_courier_spool (off , off) Allow httpd to can manage courier spool httpd_can_network_connect (off , off) Allow httpd to can network connect httpd_can_network_connect_cobbler (off , off) Allow httpd to can network connect cobbler httpd_can_network_connect_db (off , off) Allow httpd to can network connect db httpd_can_network_memcache (off , off) Allow httpd to can network memcache httpd_can_network_redis (off , off) Allow httpd to can network redis httpd_can_network_relay (off , off) Allow httpd to can network relay httpd_can_sendmail (off , off) Allow httpd to can sendmail httpd_dbus_avahi (on , on) Allow httpd to dbus avahi httpd_dbus_sssd (off , off) Allow httpd to dbus sssd httpd_dontaudit_search_dirs (off , off) Allow httpd to dontaudit search dirs httpd_enable_cgi (on , on) Allow httpd to enable cgi httpd_enable_ftp_server (off , off) Allow httpd to enable ftp server httpd_enable_homedirs (off , off) Allow httpd to enable homedirs httpd_execmem (off , off) Allow httpd to execmem httpd_graceful_shutdown (off , off) Allow httpd to graceful shutdown httpd_manage_ipa (off , off) Allow httpd to manage ipa httpd_mod_auth_ntlm_winbind (off , off) Allow httpd to mod auth ntlm winbind httpd_mod_auth_pam (off , off) Allow httpd to mod auth pam httpd_read_user_content (off , off) Allow httpd to read user content httpd_run_ipa (off , off) Allow httpd to run ipa httpd_run_preupgrade (off , off) Allow httpd to run preupgrade httpd_run_stickshift (off , off) Allow httpd to run stickshift httpd_serve_cobbler_files (off , off) Allow httpd to serve cobbler files httpd_setrlimit (off , off) Allow httpd to setrlimit httpd_ssi_exec (off , off) Allow httpd to ssi exec httpd_sys_script_anon_write (off , off) Allow httpd to sys script anon write httpd_tmp_exec (off , off) Allow httpd to tmp exec httpd_tty_comm (off , off) Allow httpd to tty comm httpd_unified (off , off) Allow httpd to unified httpd_use_cifs (off , off) Allow httpd to use cifs httpd_use_fusefs (off , off) Allow httpd to use fusefs httpd_use_gpg (off , off) Allow httpd to use gpg httpd_use_nfs (off , off) Allow httpd to use nfs httpd_use_opencryptoki (off , off) Allow httpd to use opencryptoki httpd_use_openstack (off , off) Allow httpd to use openstack httpd_use_sasl (off , off) Allow httpd to use sasl httpd_verify_dns (off , off) Allow httpd to verify dns icecast_use_any_tcp_ports (off , off) Allow icecast to use any tcp ports init_audit_control (on , on) Allow init to audit control init_create_dirs (on , on) Allow init to create dirs irc_use_any_tcp_ports (off , off) Allow irc to use any tcp ports irssi_use_full_network (off , off) Allow irssi to use full network kdumpgui_run_bootloader (off , off) Allow kdumpgui to run bootloader keepalived_connect_any (off , off) Allow keepalived to connect any kerberos_enabled (on , on) Allow kerberos to enabled ksmtuned_use_cifs (off , off) Allow ksmtuned to use cifs ksmtuned_use_nfs (off , off) Allow ksmtuned to use nfs logadm_exec_content (on , on) Allow logadm to exec content logging_syslogd_append_public_content (off , off) Allow logging to syslogd append public content logging_syslogd_can_sendmail (off , off) Allow logging to syslogd can sendmail logging_syslogd_list_non_security_dirs (off , off) Allow logging to syslogd list non security dirs logging_syslogd_run_nagios_plugins (off , off) Allow logging to syslogd run nagios plugins logging_syslogd_run_unconfined (off , off) Allow logging to syslogd run unconfined logging_syslogd_use_tty (on , on) Allow logging to syslogd use tty login_console_enabled (on , on) Allow login to console enabled logrotate_read_inside_containers (off , off) Allow logrotate to read inside containers logrotate_use_cifs (off , off) Allow logrotate to use cifs logrotate_use_fusefs (off , off) Allow logrotate to use fusefs logrotate_use_nfs (off , off) Allow logrotate to use nfs logwatch_can_network_connect_mail (off , off) Allow logwatch to can network connect mail lsmd_plugin_connect_any (off , off) Allow lsmd to plugin connect any mailman_use_fusefs (off , off) Allow mailman to use fusefs mcelog_client (off , off) Allow mcelog to client mcelog_exec_scripts (on , on) Allow mcelog to exec scripts mcelog_foreground (off , off) Allow mcelog to foreground mcelog_server (off , off) Allow mcelog to server minidlna_read_generic_user_content (off , off) Allow minidlna to read generic user content mmap_low_allowed (off , off) Allow mmap to low allowed mock_enable_homedirs (off , off) Allow mock to enable homedirs mount_anyfile (on , on) Allow mount to anyfile mozilla_plugin_bind_unreserved_ports (off , off) Allow mozilla to plugin bind unreserved ports mozilla_plugin_can_network_connect (on , on) Allow mozilla to plugin can network connect mozilla_plugin_use_bluejeans (off , off) Allow mozilla to plugin use bluejeans mozilla_plugin_use_gps (off , off) Allow mozilla to plugin use gps mozilla_plugin_use_spice (off , off) Allow mozilla to plugin use spice mozilla_read_content (off , off) Allow mozilla to read content mpd_enable_homedirs (off , off) Allow mpd to enable homedirs mpd_use_cifs (off , off) Allow mpd to use cifs mpd_use_nfs (off , off) Allow mpd to use nfs mplayer_execstack (off , off) Allow mplayer to execstack mysql_connect_any (off , off) Allow mysql to connect any mysql_connect_http (off , off) Allow mysql to connect http nagios_run_pnp4nagios (off , off) Allow nagios to run pnp4nagios nagios_run_sudo (off , off) Allow nagios to run sudo nagios_use_nfs (off , off) Allow nagios to use nfs named_tcp_bind_http_port (off , off) Allow named to tcp bind http port named_write_master_zones (on , on) Allow named to write master zones neutron_can_network (off , off) Allow neutron to can network nfs_export_all_ro (on , on) Allow nfs to export all ro nfs_export_all_rw (on , on) Allow nfs to export all rw nfsd_anon_write (off , off) Allow nfsd to anon write nis_enabled (off , off) Allow nis to enabled nscd_use_shm (on , on) Allow nscd to use shm openfortivpn_can_network_connect (on , on) Allow openfortivpn to can network connect openshift_use_nfs (off , off) Allow openshift to use nfs openvpn_allow_changing_sysctls (off , off) Allow openvpn to allow changing sysctls openvpn_can_network_connect (on , on) Allow openvpn to can network connect openvpn_enable_homedirs (off , off) Allow openvpn to enable homedirs openvpn_run_unconfined (off , off) Allow openvpn to run unconfined pcp_bind_all_unreserved_ports (off , off) Allow pcp to bind all unreserved ports pcp_read_generic_logs (off , off) Allow pcp to read generic logs pdns_can_network_connect_db (off , off) Allow pdns to can network connect db polipo_connect_all_unreserved (off , off) Allow polipo to connect all unreserved polipo_session_bind_all_unreserved_ports (off , off) Allow polipo to session bind all unreserved ports polipo_session_users (off , off) Allow polipo to session users polipo_use_cifs (off , off) Allow polipo to use cifs polipo_use_nfs (off , off) Allow polipo to use nfs polyinstantiation_enabled (off , off) Allow polyinstantiation to enabled postfix_local_write_mail_spool (off , off) Allow postfix to local write mail spool postgresql_can_rsync (off , off) Allow postgresql to can rsync postgresql_selinux_transmit_client_label (off , off) Allow postgresql to selinux transmit client label postgresql_selinux_unconfined_dbadm (on , on) Allow postgresql to selinux unconfined dbadm postgresql_selinux_users_ddl (on , on) Allow postgresql to selinux users ddl pppd_can_insmod (off , off) Allow pppd to can insmod pppd_for_user (off , off) Allow pppd to for user privoxy_connect_any (off , off) Allow privoxy to connect any prosody_bind_http_port (off , off) Allow prosody to bind http port puppetagent_manage_all_files (off , off) Allow puppetagent to manage all files puppetmaster_use_db (off , off) Allow puppetmaster to use db racoon_read_shadow (off , off) Allow racoon to read shadow radius_use_jit (off , off) Allow radius to use jit redis_enable_notify (off , off) Allow redis to enable notify rngd_execmem (off , off) Allow rngd to execmem rpcd_use_fusefs (off , off) Allow rpcd to use fusefs rsync_anon_write (off , off) Allow rsync to anon write rsync_client (off , off) Allow rsync to client rsync_exec_commands (on , on) Allow rsync to exec commands rsync_export_all_ro (off , off) Allow rsync to export all ro rsync_full_access (off , off) Allow rsync to full access rsync_sys_admin (off , off) Allow rsync to sys admin rtorrent_enable_rutorrent (off , off) Allow rtorrent to enable rutorrent rtorrent_exec_scripts (off , off) Allow rtorrent to exec scripts rtorrent_send_mails (off , off) Allow rtorrent to send mails samba_create_home_dirs (off , off) Allow samba to create home dirs samba_domain_controller (off , off) Allow samba to domain controller samba_enable_home_dirs (off , off) Allow samba to enable home dirs samba_export_all_ro (off , off) Allow samba to export all ro samba_export_all_rw (off , off) Allow samba to export all rw samba_load_libgfapi (off , off) Allow samba to load libgfapi samba_portmapper (off , off) Allow samba to portmapper samba_run_unconfined (off , off) Allow samba to run unconfined samba_share_fusefs (off , off) Allow samba to share fusefs samba_share_nfs (off , off) Allow samba to share nfs sanlock_enable_home_dirs (off , off) Allow sanlock to enable home dirs sanlock_use_fusefs (off , off) Allow sanlock to use fusefs sanlock_use_nfs (off , off) Allow sanlock to use nfs sanlock_use_samba (off , off) Allow sanlock to use samba saslauthd_read_shadow (off , off) Allow saslauthd to read shadow screen_allow_session_sharing (off , off) Allow screen to allow session sharing secadm_exec_content (on , on) Allow secadm to exec content secure_mode (off , off) Allow secure to mode secure_mode_insmod (off , off) Allow secure to mode insmod secure_mode_policyload (off , off) Allow secure to mode policyload selinuxuser_direct_dri_enabled (off , off) Allow selinuxuser to direct dri enabled selinuxuser_execheap (off , off) Allow selinuxuser to execheap selinuxuser_execmod (off , off) Allow selinuxuser to execmod selinuxuser_execstack (off , off) Allow selinuxuser to execstack selinuxuser_mysql_connect_enabled (off , off) Allow selinuxuser to mysql connect enabled selinuxuser_ping (off , off) Allow selinuxuser to ping selinuxuser_postgresql_connect_enabled (off , off) Allow selinuxuser to postgresql connect enabled selinuxuser_rw_noexattrfile (off , off) Allow selinuxuser to rw noexattrfile selinuxuser_share_music (off , off) Allow selinuxuser to share music selinuxuser_tcp_server (off , off) Allow selinuxuser to tcp server selinuxuser_udp_server (off , off) Allow selinuxuser to udp server selinuxuser_use_ssh_chroot (off , off) Allow selinuxuser to use ssh chroot smartmon_3ware (off , off) Allow smartmon to 3ware smbd_anon_write (off , off) Allow smbd to anon write spamassassin_can_network (off , off) Allow spamassassin to can network spamd_enable_home_dirs (off , off) Allow spamd to enable home dirs spamd_update_can_network (off , off) Allow spamd to update can network squid_bind_snmp_port (off , off) Allow squid to bind snmp port squid_connect_any (off , off) Allow squid to connect any squid_use_tproxy (off , off) Allow squid to use tproxy ssh_chroot_rw_homedirs (off , off) Allow ssh to chroot rw homedirs ssh_keysign (off , off) Allow ssh to keysign ssh_sysadm_login (off , off) Allow ssh to sysadm login ssh_use_tcpd (off , off) Allow ssh to use tcpd sslh_can_bind_any_port (off , off) Allow sslh to can bind any port sslh_can_connect_any_port (off , off) Allow sslh to can connect any port sssd_access_kernel_keys (off , off) Allow sssd to access kernel keys sssd_connect_all_unreserved_ports (off , off) Allow sssd to connect all unreserved ports sssd_use_usb (off , off) Allow sssd to use usb staff_exec_content (on , on) Allow staff to exec content staff_use_svirt (off , off) Allow staff to use svirt swift_can_network (off , off) Allow swift to can network sysadm_exec_content (on , on) Allow sysadm to exec content systemd_socket_proxyd_bind_any (off , off) Allow systemd to socket proxyd bind any systemd_socket_proxyd_connect_any (off , off) Allow systemd to socket proxyd connect any telepathy_connect_all_ports (off , off) Allow telepathy to connect all ports telepathy_tcp_connect_generic_network_ports (off , off) Allow telepathy to tcp connect generic network ports tftp_anon_write (off , off) Allow tftp to anon write tftp_home_dir (off , off) Allow tftp to home dir tmpreaper_use_cifs (off , off) Allow tmpreaper to use cifs tmpreaper_use_nfs (off , off) Allow tmpreaper to use nfs tmpreaper_use_samba (off , off) Allow tmpreaper to use samba tomcat_can_network_connect_db (off , off) Allow tomcat to can network connect db tomcat_read_rpm_db (off , off) Allow tomcat to read rpm db tomcat_use_execmem (off , off) Allow tomcat to use execmem tor_bind_all_unreserved_ports (off , off) Allow tor to bind all unreserved ports tor_can_network_relay (off , off) Allow tor to can network relay tor_can_onion_services (off , off) Allow tor to can onion services unconfined_chrome_sandbox_transition (on , on) Allow unconfined to chrome sandbox transition unconfined_dyntrans_all (off , off) Allow unconfined to dyntrans all unconfined_login (on , on) Allow unconfined to login unconfined_mozilla_plugin_transition (on , on) Allow unconfined to mozilla plugin transition unprivuser_use_svirt (off , off) Allow unprivuser to use svirt use_ecryptfs_home_dirs (off , off) Allow use to ecryptfs home dirs use_fusefs_home_dirs (off , off) Allow use to fusefs home dirs use_lpd_server (off , off) Allow use to lpd server use_nfs_home_dirs (on , on) Allow use to nfs home dirs use_samba_home_dirs (off , off) Allow use to samba home dirs use_virtualbox (off , off) Allow use to virtualbox user_exec_content (on , on) Allow user to exec content varnishd_connect_any (off , off) Allow varnishd to connect any virt_hooks_unconfined (off , off) Allow virt to hooks unconfined virt_lockd_blk_devs (off , off) Allow virt to lockd blk devs virt_qemu_ga_manage_ssh (off , off) Allow virt to qemu ga manage ssh virt_qemu_ga_read_nonsecurity_files (off , off) Allow virt to qemu ga read nonsecurity files virt_qemu_ga_run_unconfined (off , off) Allow virt to qemu ga run unconfined virt_read_qemu_ga_data (off , off) Allow virt to read qemu ga data virt_rw_qemu_ga_data (off , off) Allow virt to rw qemu ga data virt_sandbox_share_apache_content (off , off) Allow virt to sandbox share apache content virt_sandbox_use_all_caps (on , on) Allow virt to sandbox use all caps virt_sandbox_use_audit (on , on) Allow virt to sandbox use audit virt_sandbox_use_fusefs (off , off) Allow virt to sandbox use fusefs virt_sandbox_use_mknod (off , off) Allow virt to sandbox use mknod virt_sandbox_use_netlink (off , off) Allow virt to sandbox use netlink virt_sandbox_use_sys_admin (off , off) Allow virt to sandbox use sys admin virt_transition_userdomain (off , off) Allow virt to transition userdomain virt_use_comm (off , off) Allow virt to use comm virt_use_execmem (off , off) Allow virt to use execmem virt_use_fusefs (off , off) Allow virt to use fusefs virt_use_glusterd (off , off) Allow virt to use glusterd virt_use_nfs (on , on) Allow virt to use nfs virt_use_pcscd (off , off) Allow virt to use pcscd virt_use_rawip (off , off) Allow virt to use rawip virt_use_samba (off , off) Allow virt to use samba virt_use_sanlock (off , off) Allow virt to use sanlock virt_use_usb (on , on) Allow virt to use usb virt_use_xserver (off , off) Allow virt to use xserver virtqemud_use_execmem (on , on) Allow virtqemud to use execmem webadm_manage_user_files (off , off) Allow webadm to manage user files webadm_read_user_files (off , off) Allow webadm to read user files wine_mmap_zero_ignore (off , off) Allow wine to mmap zero ignore xdm_bind_vnc_tcp_port (off , off) Allow xdm to bind vnc tcp port xdm_exec_bootloader (off , off) Allow xdm to exec bootloader xdm_manage_bootloader (on , on) Allow xdm to manage bootloader xdm_sysadm_login (off , off) Allow xdm to sysadm login xdm_write_home (off , off) Allow xdm to write home xen_use_nfs (off , off) Allow xen to use nfs xen_use_qemu_for_dom0_disk_backend (off , off) Allow xen to use qemu for dom0 disk backend xend_run_blktap (on , on) Allow xend to run blktap xend_run_qemu (on , on) Allow xend to run qemu xguest_connect_network (on , on) Allow xguest to connect network xguest_exec_content (off , off) Allow xguest to exec content xguest_mount_media (on , on) Allow xguest to mount media xguest_use_bluetooth (on , on) Allow xguest to use bluetooth xserver_clients_write_xshm (off , off) Allow xserver to clients write xshm xserver_execmem (off , off) Allow xserver to execmem xserver_object_manager (off , off) Allow xserver to object manager zabbix_can_network (off , off) Allow zabbix to can network zabbix_run_sudo (off , off) Allow zabbix to run sudo zarafa_setrlimit (off , off) Allow zarafa to setrlimit zebra_write_config (off , off) Allow zebra to write config zoneminder_anon_write (off , off) Allow zoneminder to anon write zoneminder_run_sudo (off , off) Allow zoneminder to run sudo -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c14 --- Comment #14 from Johannes Segitz <jsegitz@suse.com> --- the updated policy is not installed. We had some issues with newer policy versions where modules got removed, you probably ran into this. I forked the Factory policy for you with only this change on top. You can add the repo via: zypper ar -p 80 https://download.opensuse.org/repositories/home:/jsegitz:/branches:/openSUSE... Please try to install the policy. After you did this verify, that it worked with: semanage boolean -m -1 unconfined_service_transition_to_unconfined_user (be aware that I changed the boolean name) if this gives you an error then it failed again. Otherwise it should work for you after that -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c15 --- Comment #15 from Joe S <jmscdba@gmail.com> --- (In reply to Johannes Segitz from comment #14) Hi Johannes, Ok, I restored the test system back to before our last test and then followed your instructions. I will attach the install log as test.3.log but here is a summary: It looks like the install worked this time, however, it did create a *.rpmsave file which I didn't do anything with since I haven't done any customizations. After the install I ran semanage with the new boolean variable name but nothing is displayed. Here's the semanage command cut/paste from your reply semanage boolean -m -1 unconfined_service_transition_to_unconfined_user Other than the variable not displaying everything seemed to work so I rebooted and attempted to login via RDP. The RDP session connects and the user is logged in but the KDE desktop is not displayed and instead the user is left at a tty session running bash. Looking back at the prior test I ran these commands again ( since test system was restored before this new test ) chcon -t bin_t /etc/xrdp/startwm.sh chcon -t bin_t /etc/xrdp/reconnectwm.sh Then I restarted xrdp service and now the user is logged in and gets their KDE desktop. So even though semanage does not display the variable it would appear that this pretty much fixes the issue. If you want/need any other info from me please let me know. When these changes are finalized and pushed to Factory shouldn't the xrdp package installation be updated to perform those 2 chcon commands, otherwise you don't get the desktop session ? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c16 --- Comment #16 from Joe S <jmscdba@gmail.com> --- Created attachment 879578 --> https://bugzilla.suse.com/attachment.cgi?id=879578&action=edit Test 3 installation log -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c17 --- Comment #17 from Joe S <jmscdba@gmail.com> --- (In reply to Johannes Segitz from comment #14) In case you wanted to see the unconfine values that do exist: semanage boolean -l | grep -i unconfine logging_syslogd_run_unconfined (off , off) Allow logging to syslogd run unconfined openvpn_run_unconfined (off , off) Allow openvpn to run unconfined postgresql_selinux_unconfined_dbadm (on , on) Allow postgresql to selinux unconfined dbadm samba_run_unconfined (off , off) Allow samba to run unconfined unconfined_chrome_sandbox_transition (on , on) Allow unconfined to chrome sandbox transition unconfined_dyntrans_all (off , off) Allow unconfined to dyntrans all unconfined_login (on , on) Allow unconfined to login unconfined_mozilla_plugin_transition (on , on) Allow unconfined to mozilla plugin transition unconfined_service_transition_to_unconfined_user (on , on) Allow unconfined to service transition to unconfined user virt_hooks_unconfined (off , off) Allow virt to hooks unconfined virt_qemu_ga_run_unconfined (off , off) Allow virt to qemu ga run unconfined -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c18 --- Comment #18 from Johannes Segitz <jsegitz@suse.com> --- great, thank you very much for testing. So the boolean works. Now lets make sure the scripts are properly labeled. Can you please sent me the output of rpm -qf /etc/xrdp/startwm.sh and rpm -qf /etc/xrdp/reconnectwm.sh then I can submit everything for the next policy update -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c19 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jmscdba@gmail.com | |) | --- Comment #19 from Johannes Segitz <jsegitz@suse.com> --- I have all the information I need, thank you -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c20 --- Comment #20 from Joe S <jmscdba@gmail.com> --- (In reply to Johannes Segitz from comment #18)
great, thank you very much for testing. So the boolean works. Now lets make sure the scripts are properly labeled. Can you please sent me the output of rpm -qf /etc/xrdp/startwm.sh and rpm -qf /etc/xrdp/reconnectwm.sh then I can submit everything for the next policy update
Hi Johannes, Here you go rpm -qf /etc/xrdp/startwm.sh xrdp-0.9.23.1-4.1.x86_64 rpm -qf /etc/xrdp/reconnectwm.sh xrdp-0.9.23.1-4.1.x86_64 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c21 --- Comment #21 from Joe S <jmscdba@gmail.com> --- (In reply to Johannes Segitz from comment #18)
great, thank you very much for testing. So the boolean works.
RDP works but I am confused why semanage boolean -m -1 unconfined_service_transition_to_unconfined_user Did not list the boolean ? FYI, I am looking to update the production machine and then I can retest switching the test machine to selinux and then applying your changes again, UNLESS you would prefer I wait or you need other information. Let me know.... Thanks for all your help much appreciated ! -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c22 --- Comment #22 from Johannes Segitz <jsegitz@suse.com> --- it is not expected that semanage boolean -m list the boolean. semanage boolean -l lists the booleans You can do that on your production machine or wait until next week, than the fix is likely in the official policy. I don't have a preference -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c27 --- Comment #27 from Joe S <jmscdba@gmail.com> --- (In reply to Johannes Segitz from comment #22)
You can do that on your production machine or wait until next week, than the fix is likely in the official policy. I don't have a preference
Ok, thanks. I am going to wait and when it hits factory, then I will restore the test machine to match the production machine, repeat the conversion from apparmor to selinux and then retest xrdp to make sure it works. Looks like it is still in Factory Staging 1. Any idea what TW build it will make it into ? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c28 --- Comment #28 from Johannes Segitz <jsegitz@suse.com> --- No, that's outside of my control. But usually these update just go through, so it shouldn't take long -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com